Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2024 00:29
Static task
static1
Behavioral task
behavioral1
Sample
d37b9c7530ad72b0513c761093e8f760N.exe
Resource
win7-20240903-en
General
-
Target
d37b9c7530ad72b0513c761093e8f760N.exe
-
Size
1.9MB
-
MD5
d37b9c7530ad72b0513c761093e8f760
-
SHA1
24e645aaa27325bb6fa8e029644a9bbfcaeee447
-
SHA256
15b8f708189f176ba7fd0ba8150bbd06d44d17fc2baf6c3137c4b4113a42a983
-
SHA512
520884af155c6787ca5de4079b441c5792ad75c938b28efab224296ed825bdbfd950e267c0c6f7606cfcb5a7eed5e5027398ec09425518fe753f4fa92108ad4d
-
SSDEEP
49152:6rAe/Rk4P/VXFmZPZlvdvmAYpJiiycBa+BSptT6aG:6rAe/REZPvdvjG9ycBX1
Malware Config
Extracted
amadey
4.41
c7817d
http://31.41.244.10
-
install_dir
0e8d0864aa
-
install_file
svoutse.exe
-
strings_key
5481b88a6ef75bcf21333988a4e47048
-
url_paths
/Dem7kTu/index.php
Extracted
stealc
rave
http://185.215.113.103
-
url_path
/e2b1563c6670f193.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 5 IoCs
Processes:
svoutse.exed37b9c7530ad72b0513c761093e8f760N.exesvoutse.exef576f79a87.exesvoutse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ d37b9c7530ad72b0513c761093e8f760N.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ f576f79a87.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svoutse.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
svoutse.exesvoutse.exed37b9c7530ad72b0513c761093e8f760N.exesvoutse.exef576f79a87.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion d37b9c7530ad72b0513c761093e8f760N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion f576f79a87.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion f576f79a87.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion d37b9c7530ad72b0513c761093e8f760N.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svoutse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d37b9c7530ad72b0513c761093e8f760N.exesvoutse.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation d37b9c7530ad72b0513c761093e8f760N.exe Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation svoutse.exe -
Executes dropped EXE 4 IoCs
Processes:
svoutse.exef576f79a87.exesvoutse.exesvoutse.exepid process 4112 svoutse.exe 412 f576f79a87.exe 4612 svoutse.exe 4308 svoutse.exe -
Identifies Wine through registry keys 2 TTPs 5 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
d37b9c7530ad72b0513c761093e8f760N.exesvoutse.exef576f79a87.exesvoutse.exesvoutse.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine d37b9c7530ad72b0513c761093e8f760N.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine f576f79a87.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine svoutse.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Wine svoutse.exe -
Loads dropped DLL 2 IoCs
Processes:
f576f79a87.exepid process 412 f576f79a87.exe 412 f576f79a87.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svoutse.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f576f79a87.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000042001\\f576f79a87.exe" svoutse.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
d37b9c7530ad72b0513c761093e8f760N.exesvoutse.exef576f79a87.exesvoutse.exesvoutse.exepid process 3968 d37b9c7530ad72b0513c761093e8f760N.exe 4112 svoutse.exe 412 f576f79a87.exe 4612 svoutse.exe 4308 svoutse.exe -
Drops file in Windows directory 1 IoCs
Processes:
d37b9c7530ad72b0513c761093e8f760N.exedescription ioc process File created C:\Windows\Tasks\svoutse.job d37b9c7530ad72b0513c761093e8f760N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
d37b9c7530ad72b0513c761093e8f760N.exesvoutse.exef576f79a87.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d37b9c7530ad72b0513c761093e8f760N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svoutse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f576f79a87.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
f576f79a87.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f576f79a87.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f576f79a87.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
d37b9c7530ad72b0513c761093e8f760N.exesvoutse.exef576f79a87.exesvoutse.exesvoutse.exepid process 3968 d37b9c7530ad72b0513c761093e8f760N.exe 3968 d37b9c7530ad72b0513c761093e8f760N.exe 4112 svoutse.exe 4112 svoutse.exe 412 f576f79a87.exe 412 f576f79a87.exe 412 f576f79a87.exe 412 f576f79a87.exe 412 f576f79a87.exe 412 f576f79a87.exe 4612 svoutse.exe 4612 svoutse.exe 4308 svoutse.exe 4308 svoutse.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
d37b9c7530ad72b0513c761093e8f760N.exesvoutse.exedescription pid process target process PID 3968 wrote to memory of 4112 3968 d37b9c7530ad72b0513c761093e8f760N.exe svoutse.exe PID 3968 wrote to memory of 4112 3968 d37b9c7530ad72b0513c761093e8f760N.exe svoutse.exe PID 3968 wrote to memory of 4112 3968 d37b9c7530ad72b0513c761093e8f760N.exe svoutse.exe PID 4112 wrote to memory of 412 4112 svoutse.exe f576f79a87.exe PID 4112 wrote to memory of 412 4112 svoutse.exe f576f79a87.exe PID 4112 wrote to memory of 412 4112 svoutse.exe f576f79a87.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d37b9c7530ad72b0513c761093e8f760N.exe"C:\Users\Admin\AppData\Local\Temp\d37b9c7530ad72b0513c761093e8f760N.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\1000042001\f576f79a87.exe"C:\Users\Admin\AppData\Local\Temp\1000042001\f576f79a87.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:412
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4612
-
C:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exeC:\Users\Admin\AppData\Local\Temp\0e8d0864aa\svoutse.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4308
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
Filesize
1.9MB
MD5d37b9c7530ad72b0513c761093e8f760
SHA124e645aaa27325bb6fa8e029644a9bbfcaeee447
SHA25615b8f708189f176ba7fd0ba8150bbd06d44d17fc2baf6c3137c4b4113a42a983
SHA512520884af155c6787ca5de4079b441c5792ad75c938b28efab224296ed825bdbfd950e267c0c6f7606cfcb5a7eed5e5027398ec09425518fe753f4fa92108ad4d
-
Filesize
1.7MB
MD55d91654e434d738d19d7d1c5cc68d45c
SHA18e84ffee89d063a3d651c0b394b407e5dbe1ab20
SHA2564b0a44c5c46b353abd46e4f68f73f51123d00aaf5450d0953a84484a5f25e63f
SHA5123c76c1bbf8a11f7a01381ab488ee127960342ab2c64910bf16509d6038c99ba32260dbf6b9540343846fc316fe9ea042be3199f275b03ecf3316130269ddd8ff